[PATCH 01/12] drm/client: Fully protect modes[] with dev->mode

Linux kernel -stable discussions
 help / color / mirror / Atom feed

* [PATCH 01/12] drm/client: Fully protect modes[] with dev->mode_config.mutex
       [not found] <20240404203336.10454-1-ville.syrjala@linux.intel.com>
@ 2024-04-04 20:33 ` Ville Syrjala
  2024-04-05  3:24   ` Dmitry Baryshkov
  0 siblings, 1 reply; 5+ messages in thread
From: Ville Syrjala @ 2024-04-04 20:33 UTC (permalink / raw)
  To: dri-devel; +Cc: intel-gfx, stable

From: Ville Syrjälä <ville.syrjala@linux.intel.com>

The modes[] array contains pointers to modes on the connectors'
mode lists, which are protected by dev->mode_config.mutex.
Thus we need to extend modes[] the same protection or by the
time we use it the elements may already be pointing to
freed/reused memory.

Cc: stable@vger.kernel.org
Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/10583
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
---
 drivers/gpu/drm/drm_client_modeset.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/drm_client_modeset.c b/drivers/gpu/drm/drm_client_modeset.c
index 871e4e2129d6..0683a129b362 100644
--- a/drivers/gpu/drm/drm_client_modeset.c
+++ b/drivers/gpu/drm/drm_client_modeset.c
@@ -777,6 +777,7 @@ int drm_client_modeset_probe(struct drm_client_dev *client, unsigned int width,
 	unsigned int total_modes_count = 0;
 	struct drm_client_offset *offsets;
 	unsigned int connector_count = 0;
+	/* points to modes protected by mode_config.mutex */
 	struct drm_display_mode **modes;
 	struct drm_crtc **crtcs;
 	int i, ret = 0;
@@ -845,7 +846,6 @@ int drm_client_modeset_probe(struct drm_client_dev *client, unsigned int width,
 		drm_client_pick_crtcs(client, connectors, connector_count,
 				      crtcs, modes, 0, width, height);
 	}
-	mutex_unlock(&dev->mode_config.mutex);
 
 	drm_client_modeset_release(client);
 
@@ -875,6 +875,7 @@ int drm_client_modeset_probe(struct drm_client_dev *client, unsigned int width,
 			modeset->y = offset->y;
 		}
 	}
+	mutex_unlock(&dev->mode_config.mutex);
 
 	mutex_unlock(&client->modeset_mutex);
 out:
-- 
2.43.2


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH 01/12] drm/client: Fully protect modes[] with dev->mode_config.mutex
  2024-04-04 20:33 ` [PATCH 01/12] drm/client: Fully protect modes[] with dev->mode_config.mutex Ville Syrjala
@ 2024-04-05  3:24   ` Dmitry Baryshkov
  2024-04-05 19:17     ` Ville Syrjälä
  0 siblings, 1 reply; 5+ messages in thread
From: Dmitry Baryshkov @ 2024-04-05  3:24 UTC (permalink / raw)
  To: Ville Syrjala; +Cc: dri-devel, intel-gfx, stable

On Thu, Apr 04, 2024 at 11:33:25PM +0300, Ville Syrjala wrote:
> From: Ville Syrjälä <ville.syrjala@linux.intel.com>
> 
> The modes[] array contains pointers to modes on the connectors'
> mode lists, which are protected by dev->mode_config.mutex.
> Thus we need to extend modes[] the same protection or by the
> time we use it the elements may already be pointing to
> freed/reused memory.
> 
> Cc: stable@vger.kernel.org
> Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/10583
> Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>

Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>

I tried looking for the proper Fixes tag, but it looks like it might be
something like 386516744ba4 ("drm/fb: fix fbdev object model + cleanup properly.")


> ---
>  drivers/gpu/drm/drm_client_modeset.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/drm_client_modeset.c b/drivers/gpu/drm/drm_client_modeset.c
> index 871e4e2129d6..0683a129b362 100644
> --- a/drivers/gpu/drm/drm_client_modeset.c
> +++ b/drivers/gpu/drm/drm_client_modeset.c
> @@ -777,6 +777,7 @@ int drm_client_modeset_probe(struct drm_client_dev *client, unsigned int width,
>  	unsigned int total_modes_count = 0;
>  	struct drm_client_offset *offsets;
>  	unsigned int connector_count = 0;
> +	/* points to modes protected by mode_config.mutex */
>  	struct drm_display_mode **modes;
>  	struct drm_crtc **crtcs;
>  	int i, ret = 0;
> @@ -845,7 +846,6 @@ int drm_client_modeset_probe(struct drm_client_dev *client, unsigned int width,
>  		drm_client_pick_crtcs(client, connectors, connector_count,
>  				      crtcs, modes, 0, width, height);
>  	}
> -	mutex_unlock(&dev->mode_config.mutex);
>  
>  	drm_client_modeset_release(client);
>  
> @@ -875,6 +875,7 @@ int drm_client_modeset_probe(struct drm_client_dev *client, unsigned int width,
>  			modeset->y = offset->y;
>  		}
>  	}
> +	mutex_unlock(&dev->mode_config.mutex);
>  
>  	mutex_unlock(&client->modeset_mutex);
>  out:
> -- 
> 2.43.2
> 

-- 
With best wishes
Dmitry

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH 01/12] drm/client: Fully protect modes[] with dev->mode_config.mutex
  2024-04-05  3:24   ` Dmitry Baryshkov
@ 2024-04-05 19:17     ` Ville Syrjälä
  2024-04-05 20:39       ` Dmitry Baryshkov
  0 siblings, 1 reply; 5+ messages in thread
From: Ville Syrjälä @ 2024-04-05 19:17 UTC (permalink / raw)
  To: Dmitry Baryshkov; +Cc: dri-devel, intel-gfx, stable

On Fri, Apr 05, 2024 at 06:24:01AM +0300, Dmitry Baryshkov wrote:
> On Thu, Apr 04, 2024 at 11:33:25PM +0300, Ville Syrjala wrote:
> > From: Ville Syrjälä <ville.syrjala@linux.intel.com>
> > 
> > The modes[] array contains pointers to modes on the connectors'
> > mode lists, which are protected by dev->mode_config.mutex.
> > Thus we need to extend modes[] the same protection or by the
> > time we use it the elements may already be pointing to
> > freed/reused memory.
> > 
> > Cc: stable@vger.kernel.org
> > Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/10583
> > Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
> 
> Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
> 
> I tried looking for the proper Fixes tag, but it looks like it might be
> something like 386516744ba4 ("drm/fb: fix fbdev object model + cleanup properly.")

The history is rather messy. I think it was originally completely
lockless and broken, and got fixed piecemeal later in these:
commit 7394371d8569 ("drm: Take lock around probes for drm_fb_helper_hotplug_event")
commit 966a6a13c666 ("drm: Hold mode_config.lock to prevent hotplug whilst setting up crtcs")

commit e13a05831050 ("drm/fb-helper: Stop using mode_config.mutex for internals")
looks to me like where the race might have been re-introduced.
But didn't do a thorough analysis so not 100% sure. It's all
rather ancient history by now so a Fixes tag doesn't seem all
that useful anyway.

-- 
Ville Syrjälä
Intel

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH 01/12] drm/client: Fully protect modes[] with dev->mode_config.mutex
  2024-04-05 19:17     ` Ville Syrjälä
@ 2024-04-05 20:39       ` Dmitry Baryshkov
  2024-04-05 20:57         ` Ville Syrjälä
  0 siblings, 1 reply; 5+ messages in thread
From: Dmitry Baryshkov @ 2024-04-05 20:39 UTC (permalink / raw)
  To: Ville Syrjälä; +Cc: dri-devel, intel-gfx, stable

On Fri, 5 Apr 2024 at 22:17, Ville Syrjälä
<ville.syrjala@linux.intel.com> wrote:
>
> On Fri, Apr 05, 2024 at 06:24:01AM +0300, Dmitry Baryshkov wrote:
> > On Thu, Apr 04, 2024 at 11:33:25PM +0300, Ville Syrjala wrote:
> > > From: Ville Syrjälä <ville.syrjala@linux.intel.com>
> > >
> > > The modes[] array contains pointers to modes on the connectors'
> > > mode lists, which are protected by dev->mode_config.mutex.
> > > Thus we need to extend modes[] the same protection or by the
> > > time we use it the elements may already be pointing to
> > > freed/reused memory.
> > >
> > > Cc: stable@vger.kernel.org
> > > Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/10583
> > > Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
> >
> > Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
> >
> > I tried looking for the proper Fixes tag, but it looks like it might be
> > something like 386516744ba4 ("drm/fb: fix fbdev object model + cleanup properly.")
>
> The history is rather messy. I think it was originally completely
> lockless and broken, and got fixed piecemeal later in these:
> commit 7394371d8569 ("drm: Take lock around probes for drm_fb_helper_hotplug_event")
> commit 966a6a13c666 ("drm: Hold mode_config.lock to prevent hotplug whilst setting up crtcs")
>
> commit e13a05831050 ("drm/fb-helper: Stop using mode_config.mutex for internals")
> looks to me like where the race might have been re-introduced.
> But didn't do a thorough analysis so not 100% sure. It's all
> rather ancient history by now so a Fixes tag doesn't seem all
> that useful anyway.

Well, you have added stable to cc list, so you expect to have this
patch backported. Then it should either have a kernel version as a
'starting' point or a Fixes tag to assist the sable team.



-- 
With best wishes
Dmitry

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH 01/12] drm/client: Fully protect modes[] with dev->mode_config.mutex
  2024-04-05 20:39       ` Dmitry Baryshkov
@ 2024-04-05 20:57         ` Ville Syrjälä
  0 siblings, 0 replies; 5+ messages in thread
From: Ville Syrjälä @ 2024-04-05 20:57 UTC (permalink / raw)
  To: Dmitry Baryshkov; +Cc: dri-devel, intel-gfx, stable

On Fri, Apr 05, 2024 at 11:39:33PM +0300, Dmitry Baryshkov wrote:
> On Fri, 5 Apr 2024 at 22:17, Ville Syrjälä
> <ville.syrjala@linux.intel.com> wrote:
> >
> > On Fri, Apr 05, 2024 at 06:24:01AM +0300, Dmitry Baryshkov wrote:
> > > On Thu, Apr 04, 2024 at 11:33:25PM +0300, Ville Syrjala wrote:
> > > > From: Ville Syrjälä <ville.syrjala@linux.intel.com>
> > > >
> > > > The modes[] array contains pointers to modes on the connectors'
> > > > mode lists, which are protected by dev->mode_config.mutex.
> > > > Thus we need to extend modes[] the same protection or by the
> > > > time we use it the elements may already be pointing to
> > > > freed/reused memory.
> > > >
> > > > Cc: stable@vger.kernel.org
> > > > Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/10583
> > > > Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
> > >
> > > Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
> > >
> > > I tried looking for the proper Fixes tag, but it looks like it might be
> > > something like 386516744ba4 ("drm/fb: fix fbdev object model + cleanup properly.")
> >
> > The history is rather messy. I think it was originally completely
> > lockless and broken, and got fixed piecemeal later in these:
> > commit 7394371d8569 ("drm: Take lock around probes for drm_fb_helper_hotplug_event")
> > commit 966a6a13c666 ("drm: Hold mode_config.lock to prevent hotplug whilst setting up crtcs")
> >
> > commit e13a05831050 ("drm/fb-helper: Stop using mode_config.mutex for internals")
> > looks to me like where the race might have been re-introduced.
> > But didn't do a thorough analysis so not 100% sure. It's all
> > rather ancient history by now so a Fixes tag doesn't seem all
> > that useful anyway.
> 
> Well, you have added stable to cc list, so you expect to have this
> patch backported. Then it should either have a kernel version as a
> 'starting' point or a Fixes tag to assist the sable team.

It'll get backported just fine without either.

-- 
Ville Syrjälä
Intel

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2024-04-05 20:57 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <20240404203336.10454-1-ville.syrjala@linux.intel.com>
2024-04-04 20:33 ` [PATCH 01/12] drm/client: Fully protect modes[] with dev->mode_config.mutex Ville Syrjala
2024-04-05  3:24   ` Dmitry Baryshkov
2024-04-05 19:17     ` Ville Syrjälä
2024-04-05 20:39       ` Dmitry Baryshkov
2024-04-05 20:57         ` Ville Syrjälä

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox